Updated security headers

damienbod · damienbod · commit c322fdb3cd1b · 2024-10-05T23:03:31.000+02:00
diff --git a/DeviceFlowWeb/Program.cs b/DeviceFlowWeb/Program.cs
@@ -1,12 +1,20 @@
 ﻿using DeviceFlowWeb;
 using Microsoft.AspNetCore.Authentication.Cookies;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 
 var builder = WebApplication.CreateBuilder(args);
 
 var services = builder.Services;
 var configuration = builder.Configuration;
 var env = builder.Environment;
 
+services.AddSecurityHeaderPolicies()
+  .SetPolicySelector((PolicySelectorContext ctx) =>
+  {
+      return SecurityHeadersDefinitions
+        .GetHeaderPolicyCollection(env.IsDevelopment());
+  });
+
 services.AddScoped<DeviceFlowService>();
 services.AddHttpClient();
 services.Configure<AuthConfigurations>(configuration.GetSection("AuthConfigurations"));
@@ -40,8 +48,7 @@
 
 var app = builder.Build();
 
-app.UseSecurityHeaders(SecurityHeadersDefinitions
-    .GetHeaderPolicyCollection(env.IsDevelopment()));
+app.UseSecurityHeaders();
 
 if (env.IsDevelopment())
 {
diff --git a/DeviceFlowWeb/SecurityHeadersDefinitions.cs b/DeviceFlowWeb/SecurityHeadersDefinitions.cs
@@ -27,23 +27,7 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 // builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
             .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
diff --git a/StsServerIdentity/HostingExtensions.cs b/StsServerIdentity/HostingExtensions.cs
@@ -3,6 +3,7 @@
 using Fido2NetLib;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 using Serilog;
 using StsServerIdentity.Data;
 using StsServerIdentity.Models;
@@ -13,6 +14,13 @@ internal static class HostingExtensions
 {
     public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
     {
+        builder.Services.AddSecurityHeaderPolicies()
+            .SetPolicySelector((PolicySelectorContext ctx) =>
+            {
+                return SecurityHeadersDefinitions
+                    .GetHeaderPolicyCollection(builder.Environment.IsDevelopment());
+            });
+
         builder.Services.AddRazorPages();
 
         builder.Services.AddDbContext<ApplicationDbContext>(options =>
diff --git a/StsServerIdentity/SecurityHeadersDefinitions.cs b/StsServerIdentity/SecurityHeadersDefinitions.cs
@@ -30,23 +30,7 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 // builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
             .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
diff --git a/WebApi/HostingExtensions.cs b/WebApi/HostingExtensions.cs
@@ -2,6 +2,7 @@
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Logging;
 using Microsoft.OpenApi.Models;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 using Serilog;
 
 namespace WebApi;
@@ -16,6 +17,13 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
         var configuration = builder.Configuration;
         _env = builder.Environment;
 
+        services.AddSecurityHeaderPolicies()
+            .SetPolicySelector((PolicySelectorContext ctx) =>
+            {
+                return SecurityHeadersDefinitions.GetHeaderPolicyCollection(
+                    _env!.IsDevelopment());
+            });
+
         services.Configure<CookiePolicyOptions>(options =>
         {
             // This lambda determines whether user consent for non-essential cookies is needed for a given request.
@@ -90,8 +98,7 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
 
         app.UseSerilogRequestLogging();
 
-        app.UseSecurityHeaders(SecurityHeadersDefinitions.GetHeaderPolicyCollection(
-            _env!.IsDevelopment()));
+        app.UseSecurityHeaders();
 
         if (_env!.IsDevelopment())
         {
diff --git a/WebApi/SecurityHeadersDefinitions.cs b/WebApi/SecurityHeadersDefinitions.cs
@@ -12,23 +12,7 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
             .AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
             .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp())
             .AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         AddCspHstsDefinitions(isDev, policy);
 
diff --git a/WebHybridFlowClient/HostingExtensions.cs b/WebHybridFlowClient/HostingExtensions.cs
@@ -2,6 +2,7 @@
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Logging;
+using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 using Serilog;
 
 namespace WebHybridClient;
@@ -16,6 +17,13 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
         var configuration = builder.Configuration;
         _env = builder.Environment;
 
+        services.AddSecurityHeaderPolicies()
+            .SetPolicySelector((PolicySelectorContext ctx) =>
+            {
+                return SecurityHeadersDefinitions
+                    .GetHeaderPolicyCollection(_env!.IsDevelopment());
+            });
+
         services.AddTransient<ApiService>();
         services.AddSingleton<ApiTokenInMemoryClient>();
         services.AddSingleton<ApiTokenCacheClient>();
@@ -62,8 +70,7 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
 
         app.UseSerilogRequestLogging();
 
-        app.UseSecurityHeaders(
-            SecurityHeadersDefinitions.GetHeaderPolicyCollection(_env!.IsDevelopment()));
+        app.UseSecurityHeaders();
 
         if (_env!.IsDevelopment())
         {
diff --git a/WebHybridFlowClient/SecurityHeadersDefinitions.cs b/WebHybridFlowClient/SecurityHeadersDefinitions.cs
@@ -27,23 +27,7 @@ public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
                 // builder.AddCustomDirective("require-trusted-types-for", "'script'");
             })
             .RemoveServerHeader()
-            .AddPermissionsPolicy(builder =>
-            {
-                builder.AddAccelerometer().None();
-                builder.AddAutoplay().None();
-                builder.AddCamera().None();
-                builder.AddEncryptedMedia().None();
-                builder.AddFullscreen().All();
-                builder.AddGeolocation().None();
-                builder.AddGyroscope().None();
-                builder.AddMagnetometer().None();
-                builder.AddMicrophone().None();
-                builder.AddMidi().None();
-                builder.AddPayment().None();
-                builder.AddPictureInPicture().None();
-                builder.AddSyncXHR().None();
-                builder.AddUsb().None();
-            });
+            .AddPermissionsPolicyWithDefaultSecureDirectives();
 
         if (!isDev)
         {
